Adding more tests for AES-SIV.

Bug: 66947041
Bug: 65864441

Change-Id: I367b1f6ee318b8b42ade5467a9ce649f25731efb
ORIGINAL_AUTHOR=Daniel Bleichenbacher <bleichen@google.com>
GitOrigin-RevId: 19b921d2d165971059e087294ffae893156e7657

java/src/test/java/com/google/crypto/tink/subtle/AesSivTest.java

@@ -21,11 +21,14 @@ import static org.junit.Assert.fail;
 
 import com.google.crypto.tink.DeterministicAead;
 import com.google.crypto.tink.TestUtil;
+import com.google.crypto.tink.WycheproofTestUtil;
 import java.security.GeneralSecurityException;
 import java.security.InvalidKeyException;
 import java.util.Arrays;
 import javax.crypto.AEADBadTagException;
 import javax.crypto.Cipher;
+import org.json.JSONArray;
+import org.json.JSONObject;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -45,12 +48,57 @@ public class AesSivTest {
               + " but not installed. Skip most AesSiv tests.");
       keySizeInBytes = new Integer[] {};
     } else if (TestUtil.isAndroid()) {
+      // Conscrypt on Android does not support 192-bit keys.
       keySizeInBytes = new Integer[] {64};
     } else {
       keySizeInBytes = new Integer[] {48, 64};
     }
   }
 
+  @Test
+  public void testWycheproofVectors() throws Exception {
+    JSONObject json = WycheproofTestUtil.readJson("testdata/wycheproof/aes_siv_cmac_test.json");
+    WycheproofTestUtil.checkAlgAndVersion(json, "AES-SIV-CMAC", "0.1.6");
+    JSONArray testGroups = json.getJSONArray("testGroups");
+    for (int i = 0; i < testGroups.length(); i++) {
+      JSONObject group = testGroups.getJSONObject(i);
+      int keySize = group.getInt("keySize");
+      JSONArray tests = group.getJSONArray("tests");
+      if (!Arrays.asList(keySizeInBytes).contains(keySize / 8)) {
+        System.out.println("Skipping tests with key size: " + keySize);
+        continue;
+      }
+      for (int j = 0; j < tests.length(); j++) {
+        JSONObject testcase = tests.getJSONObject(j);
+        int tcid = testcase.getInt("tcId");
+        String comment = "tcId: " + tcid + " " + testcase.getString("comment");
+        byte[] key = Hex.decode(testcase.getString("key"));
+        byte[] msg = Hex.decode(testcase.getString("msg"));
+        byte[] aad = Hex.decode(testcase.getString("aad"));
+        byte[] ct = Hex.decode(testcase.getString("ct"));
+        // Result is one of "valid" and "invalid".
+        // "valid" are test vectors with matching plaintext and ciphertext.
+        // "invalid" are test vectors with invalid parameters or invalid ciphertext.
+        String result = testcase.getString("result");
+
+        DeterministicAead daead = new AesSiv(key);
+        if (result.equals("valid")) {
+          byte[] ciphertext = daead.encryptDeterministically(msg, aad);
+          assertEquals(comment, Hex.encode(ct), Hex.encode(ciphertext));
+          byte[] plaintext = daead.decryptDeterministically(ct, aad);
+          assertEquals(comment, Hex.encode(msg), Hex.encode(plaintext));
+        } else {
+          try {
+            byte[] plaintext = daead.decryptDeterministically(ct, aad);
+            fail("Decrypted invalid ciphertext:" + comment + " as:" + Hex.encode(plaintext));
+          } catch (GeneralSecurityException ex) {
+            // This is expected
+          }
+        }
+      }
+    }
+  }
+
   @Test
   public void testEncryptDecryptWithEmptyPlaintext() throws GeneralSecurityException {
     for (int keySize : keySizeInBytes) {